Since 2004, a source for ranting, reviews and InfoSec news

Menu

Bitlocker encryption bypass

Management types are always trying to push BitLocker rather than third party encryption because its free. “Free” as in, “included in Windows Professional/Enterprise”. They never consider the less obvious costs in usability and to the helpdesk. The Windows guys would even team up with the management types complaining that non-Microsoft full disk encryption products made system deployment difficult. (There are of course ways to work with things like MDT in McAfee encryption. I don’t know about the other versions.)

For me it always came down to two main things.

It’s not acceptable security to me to use Bitlocker without pre-boot authentication.

Using Bitlocker with pre-boot authentication is kind of annoying.

a. Bitlocker preboot authentication requires a per machine password. Users would need to know this additional password rather than the single signon used by non-Microsoft alternatives.

b. The password recovery options available are kind of cumbersome.

This month, Microsoft released security bulletin MS15-122 to patch a vulnerability in Bitlocker when used without pre-boot authentication. This attack involves spoofing a domain controller.